Spam Control Considered Harmful

John A. Tamplin jat at
Thu Oct 30 03:53:52 UTC 1997

On Wed, 29 Oct 1997, Jay R. Ashworth wrote:

> > We are an ISP and we don't block our dialups from going to port 25 elsewhere
> > because this would eliminate their ability to rightfully use another mail
> > server.  This frequently occurs when a user accesses a mail server at work
> > from their home dialup account.  If other ISPs did this, we would have a
> > problem where a user dialing into their ISP couldn't reach their virtual
> > mail server, hosted on our network.  We currently don't have many going
> > the other way, but that may change.
> This is roughly akin, though, isn't it, John, to the cache pollution
> problems that make it pretty much a requirement to run 2 separate
> nameservers: one for recursion and caching, and the other to be
> authoritative?
> Run a separate relay server, with some authentication, for users
> connecting from outside your AS.

The point is there can be no useful authentication for outgoing email if 
you don't block it by IP address.  However, that is a discussion about 
blocking spam relay, not about blocking outgoing SMTP.  If we install a 
filter at the router that blocks all traffic from dialup connections to 
port 25 anywhere else, then it doesn't matter how many servers we run they
can't get to another SMTP server, even if they are supposed to be doing it.
> > > The only reason I can think of that would stop this would be if a
> > > user subscribes to earthlink, but uses a UUnet dialin, that customer's
> > > software would be set up to use the Earthlink SMTP servers.
> > 
> > In our case, this doesn't help since we and all the other local ISPs block
> > relay access, so you have to use the mail server of the ISP you are
> > currently connected to.
> Hold it.  Didn't you just say the opposite above?

He offered an example of a customer that has dialup access to two ISPs,
and wants to connect to the SMTP server of the one he isn't currently 
connected to.  Because of the relay blocking that we and all the other ISPs
in town implement (and hopefully ISPs elsewhere), the customer can't do that

What I said above is that there are other examples that our customers expect
to work, specifically connecting to an SMTP server at work or connecting to
a virtual domain hosted at another ISP (in our case it is primarily the
vdom user dialup into another ISP and accessing the site here), that is
why we can't block all traffic from dialup to port 25 anywhere.

I think you are confusing the issue of blocking unauthorized relay access 
to your SMTP server, which is easy to do based on CIDR blocks, with that of
preventing dialup customers from relaying through the SMTP servers of others.
The difficulty in the latter is finding a way to determine what SMTP servers
they are supposed to have access to and then implementing that in a router
access list.

John Tamplin					Traveller Information Services
jat at Traveller.COM				2104 West Ferry Way
205/883-4233x7007				Huntsville, AL 35801

More information about the NANOG mailing list